said by Privateeye :said by cybersaga:said by Privateeye :TCPdump is for sniffing wireless
Well I know that is not correct, since I used it on my wan interface and it did indeed capture traffic, including traffic that originated from my one computer that's wired.
It can capture wired packets, but it is mainly for wireless sniffing for Data. You just miss the point if that's all you get hung up on. That's not the right tool for the job.
Use syslog, not a sniffing program. That's what it was made for. It will give you the info you need without needing to capture huge amounts of data in a certain time frame and hope your problem happens in that time frame. Syslog can just monitor 24/7.
If you don't know how to mount jffs, I don't think OpenWrt is the right firmware for you honestly.
God only knows what directories you chmod'ed and left open for the mischievous DNS poisoner....lol
Wow - all kinds of wrong... Cybersaga, please disregard what he's saying... he clearly has limited knowledge on this. You were on the right track to look at network data to figure out what's happening.
@"privateeye": Not only does tcpdump predate wifi, tcpdump is always the right tool for the job, whenever you're trying to figure out behavior of either the network, or applications running on it. Please be more responsible handing out "advice" on the internet. You're in no position to chastise someone for not knowing how to mount an obscure, limited-scope file system... you should ensure you've earned the right to do so first. Syslog was made to provide the user exactly what happened here, notification of something wrong. As for your DNS poisoning remark... you may want to lookup DNS poisoning. Privileged file access not required. Your post value: 0.
@Cybersaga: You should certainly take a look at how OpenWRT is setup. But, if reviewing config and running services doesn't provide you with insight, and you need assistance with analyzing tcpdump output to resolve this, PM me. I develop for an enterprise monitoring tool based on network sniffing, so I'd like to think I'm better placed to provide assistance here. Remember though, DNS is UDP, and tcpdump will do lookups by default too, so you'll need appropriate switches on tcpdump... something like this:
tcpdump -i $ifname -n -l -s 20 udp port 53
•The -n prevents host lookups, which would just pollute this.
•The -l ensures you get a new line for each packet, so that effectively each query and response is on a new line, makes it easier to read if you're pushing to stdout. Alternatively, specify -w to dump into a file. You can later replay it with -r, or use wireshark
•-s 20 is because you don't need much of the payload. In fact, I'm pretty sure you can get away with -s 0 here, but i'm just not sure.
•Finally the filter is self-explanatory.